# Research: Home Network Security Audit

**Created:** 2026-04-01 (Session 384)
**Status:** AUDIT COMPLETE, fixes in progress
**Router:** ASUS RT-AX86U Pro at 192.168.50.1 (firmware 3.0.0.6.102)
**Method:** API queries via `appGet.cgi` nvram_get

---

## 1. Network Topology

```
ISP (ACT Fibernet, 600 Mbps, 3300 GB cap)
  └── ASUS RT-AX86U Pro "RoshanReethi" (192.168.50.1)
        ├── TP-Link Deco X10 "Robotics" (WAN: 192.168.50.160, LAN: 192.168.68.1)
        │     ├── Titan  (192.168.68.52) — DGX Spark, main brain
        │     ├── Beast  (192.168.68.58) — DGX Spark, background agents
        │     ├── Panda  (192.168.68.57) — RTX 5070 Ti, phone hub
        │     └── Laptop (192.168.68.56)
        └── D-Link "Downstairs" (WAN: 192.168.50.??, LAN: 192.168.100.1)
              └── Cameras, TVs, IoT devices
```

**Triple-NAT:** Three routers, three subnets (50.x, 68.x, 100.x). ASUS sees Deco and D-Link as single devices. Everything behind them is invisible.

---

## 2. ASUS Router Security Audit — Raw Data

Queried via `appGet.cgi` with `nvram_get()` hooks on 2026-04-01.

### Raw nvram Values

| Variable | Value | Meaning |
|----------|-------|---------|
| `wl0_auth_mode_x` | `psk2` | 2.4GHz: WPA2-Personal |
| `wl1_auth_mode_x` | `psk2` | 5GHz: WPA2-Personal |
| `wl0_crypto` | `aes` | 2.4GHz: AES encryption |
| `wl1_crypto` | `aes` | 5GHz: AES encryption |
| `wl0_mfp` | `0` | 2.4GHz: PMF/MFP disabled (no WPA3) |
| `wl1_mfp` | `0` | 5GHz: PMF/MFP disabled (no WPA3) |
| `wl0_wps_enable` | `""` | 2.4GHz: WPS likely disabled |
| `wl1_wps_enable` | `""` | 5GHz: WPS likely disabled |
| `wl0_ssid` | `RoshanReethi` | 2.4GHz SSID |
| `wl1_ssid` | `RoshanReethi` | 5GHz SSID |
| `wl0_closed` | `0` | 2.4GHz: SSID visible (not hidden) |
| `wl1_closed` | `0` | 5GHz: SSID visible (not hidden) |
| `wl0_wpa_psk` | `Bangal0re` | 2.4GHz WiFi password (WEAK) |
| `wl1_wpa_psk` | `Bangal0re` | 5GHz WiFi password (WEAK) |
| `upnp_enable` | `1` | UPnP: ENABLED (security risk) |
| `misc_http_x` | `0` | Remote WAN access: disabled |
| `fw_enable_x` | `1` | Firewall: enabled |
| `fw_dos_x` | `0` | DoS protection: DISABLED |
| `sshd_enable` | `0` | SSH: disabled |
| `telnetd_enable` | `0` | Telnet: disabled |
| `http_enable` | `2` | Admin UI: HTTPS enabled |

---

## 3. Audit Results

### CRITICAL — WiFi Password

**Finding:** Both 2.4GHz and 5GHz bands use password `Bangal0re` — a dictionary word with trivial leet substitution (o→0). Estimated ~20 bits entropy against a targeted dictionary attack. Crackable in minutes with hashcat from a captured WPA2 handshake.

**Risk:** Anyone within WiFi range can join the network, access the router admin page, cameras, servers, and all IoT devices.

**Fix:** Change to `mango-tiger-92-pixel` (4 words + 2-digit number, ~77 bits entropy, 22 chars). Applied via API on 2026-04-01.

**Impact of change:** All WiFi devices disconnected immediately. Need to reconnect cameras, TVs, phones with new password. Wired devices (servers via Deco Ethernet) unaffected.

### HIGH — UPnP Enabled

**Finding:** `upnp_enable=1`. Universal Plug and Play allows any device on the LAN to automatically create port forwarding rules on the router — no authentication required.

**Risk:**
- Malware on any device (camera, TV, phone) can open ports to the internet
- Known attack vector: UPnProxy (Akamai 2018) — 65,000+ routers exploited via UPnP
- IP cameras are especially risky — many have known vulnerabilities and if they can open UPnP ports, they become internet-accessible

**Fix:** Disable UPnP (`upnp_enable=0`). If any device legitimately needs port forwarding, configure it manually in the router's Virtual Server settings.

**Impact:** Some gaming consoles or P2P apps may need manual port forwarding. Cameras, TVs, and servers should not need UPnP.

### MEDIUM — DoS Protection Disabled

**Finding:** `fw_dos_x=0`. The router's built-in DoS (Denial of Service) protection is off.

**Risk:** The router won't drop obvious attack patterns (SYN floods, ping floods, port scans). Low risk for a home network behind ISP NAT, but free protection with no downside.

**Fix:** Enable DoS protection (`fw_dos_x=1`).

**Impact:** None for normal usage. May block some aggressive port scanning tools if you use them for testing.

### OK — Settings That Are Already Good

| Setting | Value | Why It's Good |
|---------|-------|---------------|
| Remote WAN access | Disabled | Router admin not accessible from internet |
| Firewall | Enabled | Basic packet filtering active |
| SSH | Disabled | No remote shell access to router |
| Telnet | Disabled | No unencrypted shell access |
| Admin HTTPS | Enabled | Router login page encrypted on LAN |
| WPS | Likely disabled | No WPS PIN attack vector |
| SSID visible | Yes | Hiding SSID is security theater, not real protection |

### RECOMMENDED — WPA3 Upgrade (Deferred)

**Finding:** `wl0_mfp=0`, `wl1_mfp=0`. Protected Management Frames disabled. This means no WPA3 capability is active.

**Recommendation:** Switch auth mode from `psk2` (WPA2) to `psk2sae` (WPA2/WPA3 mixed mode) and set `mfp=1` (capable) or `mfp=2` (required).

**Why deferred:** Some older cameras may only support WPA2. Mixed mode (`psk2sae`) should be safe — WPA3-capable devices use WPA3, older devices fall back to WPA2. But needs testing with all cameras first.

**To apply later:**
```
wl0_auth_mode_x=psk2sae  (was: psk2)
wl1_auth_mode_x=psk2sae  (was: psk2)
wl0_mfp=1                (was: 0) — 1=capable, 2=required
wl1_mfp=1                (was: 0)
```

---

## 4. Changes Applied

### 2026-04-01 — Session 384

| # | Change | nvram Variable | Old Value | New Value | Method |
|---|--------|---------------|-----------|-----------|--------|
| 1 | WiFi password (both bands) | `wl0_wpa_psk`, `wl1_wpa_psk` | `Bangal0re` | `mango-tiger-92-pixel` | API: `start_apply.htm` with `restart_wireless` |
| 2 | Disable UPnP | `upnp_enable` | `1` | `0` | API: `start_apply.htm` |
| 3 | Enable DoS protection | `fw_dos_x` | `0` | `1` | API: `start_apply.htm` |

---

## 5. D-Link DSL-5300 "Downstairs" Security Audit

**Model:** D-Link DSL-5300 (HW: A1, FW: 1.05, Copyright 2016)
**Admin URL:** http://192.168.100.1/info/Login.html (must be on "Downstairs" WiFi)
**Admin Password:** catchme1fy0ucan
**MAC:** 78:32:1B:5D:29:78
**WAN IP:** 192.168.50.122 (on ASUS subnet, DHCP)
**LAN:** 192.168.100.0/24 (DHCP range .100-.199)
**SSID:** DownStairs
**Connected Clients:** 14
**Method:** Playwright browser automation via admin web UI

### 5.1 Raw Settings

| Setting | Value | Verdict |
|---------|-------|---------|
| WiFi Password | `Bangal0re` | **CRITICAL** — same weak password as ASUS had |
| Security Mode | WPA/WPA2-Personal | CHANGE — no WPA3 |
| WPS-PBC | **Enabled** | **CRITICAL** — brute-forceable regardless of password |
| WPS-PIN | Locked, PIN: `10699508` | **CRITICAL** — PIN visible on page |
| WPS Status | Enabled/Configured | **CRITICAL** |
| Smart Connect | Enabled | OK — combines 2.4G+5G bands |
| Transmission Power | High | OK |
| SPI Firewall (IPv4) | **Disabled** | **CRITICAL** — basic firewall is OFF |
| Anti-spoof Checking | **Disabled** | **HIGH** — no IP spoofing protection |
| IPv6 Simple Security | **Disabled** | HIGH |
| IPv6 Ingress Filtering | **Disabled** | HIGH |
| DMZ | Disabled | OK |
| UPnP | **Enabled** | **HIGH** — devices can open ports automatically |
| IPv4 Multicast | Enabled | OK (needed for some IoT) |
| IPv6 Multicast | Enabled | OK |
| Remote Management | Disabled | OK |
| Telnet Server | Disabled | OK |
| HTTPS Admin | Disabled | MEDIUM — admin page unencrypted on LAN |
| CAPTCHA | Disabled | LOW |
| DHCP Server | Enabled | OK (router mode) |
| DNS Relay | Enabled | OK |
| Parental Control | Disabled (all devices) | OK |
| Firmware | 1.05 (2016) | **HIGH** — very old, likely has known CVEs |

### 5.2 Connected Devices (14 total)

| # | Name | Vendor | IP | Connection | Type (inferred) |
|---|------|--------|-----|------------|-----------------|
| 1 | 001788a9a581 | Philips | .145 | LAN (wired) | Philips Hue Bridge |
| 2 | Logitech | Logitech | .153 | WiFi 5GHz | Camera (Circle?) |
| 3 | Logitech | Logitech | .127 | WiFi 5GHz | Camera |
| 4 | Logitech | Logitech | .128 | WiFi 2.4GHz | Camera |
| 5 | Down-Stairs-TV | Samsung | .162 | WiFi 5GHz | Samsung Smart TV |
| 6 | C100_29109A | Samsung | .150 | WiFi 2.4GHz | Samsung camera |
| 7 | C100_29203B | Samsung | .139 | WiFi 2.4GHz | Samsung camera |
| 8 | MAC-83AC28 | Samsung | .170 | WiFi 5GHz | Unknown Samsung |
| 9 | W9Y-IN-RHA2578A | Samsung | .129 | WiFi 2.4GHz | Samsung appliance |
| 10 | LGWEBOSTV | Samsung(?) | .101 | WiFi 5GHz | LG Smart TV (webOS) |
| 11 | * (unnamed) | Samsung | .197 | WiFi 5GHz | Unknown |
| 12 | * (unnamed) | Samsung | .169 | WiFi 5GHz | Unknown |
| 13 | * (unnamed) | Samsung | .107 | WiFi 5GHz | Unknown |
| 14 | physical-ai-lab | Samsung | .120 | WiFi 5GHz | Rajesh's device? |

**Notable:** 3 Logitech cameras, 2+ Samsung cameras (C100 = Samsung SmartCam?), Philips Hue bridge (wired), 2 TVs (Samsung + LG), several unnamed Samsung devices.

### 5.3 Critical Issues Summary

1. **WiFi password `Bangal0re`** — same weak password. Anyone who knew the ASUS password knows this one too.
2. **WPS is ENABLED with visible PIN** — WPS PIN brute-force takes 4-11 hours regardless of WiFi password strength. This is the #1 vulnerability on this router.
3. **SPI Firewall is OFF** — Stateful Packet Inspection is the basic firewall. With it off, the router does zero traffic filtering.
4. **Anti-spoof is OFF** — no protection against IP spoofing attacks.
5. **UPnP is ON** — cameras can (and likely do) open ports automatically.
6. **Firmware from 2016** — D-Link DSL-5300 FW 1.05 is ~10 years old. Likely has multiple known CVEs. Check D-Link support site for updates.

### 5.4 Fixes to Apply

| # | Change | Priority | Impact |
|---|--------|----------|--------|
| 1 | Change WiFi password to strong passphrase | CRITICAL | All 14 devices disconnect, need reconnection |
| 2 | Disable WPS (PBC + PIN) | CRITICAL | No impact on normal devices |
| 3 | Enable SPI Firewall | CRITICAL | May break nothing; may affect some IoT if they rely on unsolicited inbound |
| 4 | Enable Anti-spoof Checking | HIGH | No impact on normal usage |
| 5 | Disable UPnP | HIGH | Cameras may lose cloud connectivity if they use UPnP for NAT traversal |
| 6 | Check for firmware update | HIGH | May require manual download from D-Link |
| 7 | Enable CAPTCHA on admin login | LOW | Minor friction |
| 8 | Enable HTTPS for admin | MEDIUM | Need to access via https:// afterwards |

### 5.5 D-Link DSL-5300 Notes

- **DSL modem/router combo** — has a DSL port (currently showing "Disabled" = not using DSL). Being used as a pure WiFi router connected to ASUS via Ethernet WAN.
- **2016 firmware** — this is a discontinued product. D-Link may not have released patches.
- **"SAMSUNG ELECT..." vendor** on most devices — the D-Link UI appears to misidentify many device vendors as Samsung Electronics. The MAC OUI lookup may be inaccurate or the database is outdated (2016).
- **physical-ai-lab** — this is clearly a named device, likely Rajesh's. Need confirmation.

### 5.6 Changes Applied (Session 384)

| # | Change | Before | After | Status |
|---|--------|--------|-------|--------|
| 1 | WiFi password | `Bangal0re` | `mango-tiger-92-pixel` | DONE — verified (Rajesh reconnected) |
| 2 | Disable WPS-PBC | Enabled | Disabled | DONE — verified |
| 3 | Enable SPI Firewall | Disabled | Enabled | DONE — verified |
| 4 | Enable Anti-spoof + IPv6 security | Disabled | All 4 Enabled | DONE — verified |
| 5 | Disable UPnP | Enabled | Disabled | DONE — verified |
| 6 | Firmware update | v1.05 (2018-11-23) | v1.07 available (2019-05-16) | SKIPPED — no security fixes in v1.07 |

### 5.7 Firmware Update

- **Current:** v1.05 (2018-11-23)
- **Latest available:** v1.07 (2019-05-16) from D-Link Australia
- **Download:** http://files.dlink.com.au/products/DSL-5300/REV_A/Firmware/DSL-5300_AU_v1.07/
- **Release notes:** http://files.dlink.com.au/products/DSL-5300/REV_A/Firmware/DSL-5300_AU_v1.07/Release_Notes_v1.07.txt
- **Important:** Must flash over wired Ethernet, not WiFi. Factory reset recommended after update.
- **Note:** Even v1.07 is from 2019 — this is a discontinued product. No further updates expected.
- **Decision (Session 384):** SKIPPED. v1.07 contains only PPPoA/routing fixes (not used — router is on DHCP via Ethernet). No security patches. Factory reset required after flash would wipe all 5 security fixes. Not worth the effort.

### WPA3 Mixed Mode
- Test `psk2sae` with all cameras before switching
- Some older cameras may not reconnect
- Do during a maintenance window

### Guest Network for IoT
- ASUS supports guest networks that isolate devices from the main LAN
- Cameras/TVs don't need LAN access to servers
- Consider: put cameras on guest network, servers on main network

### Router Admin Password
- Current: `4cnhi5q7?7` (10 chars, random, acceptable for LAN-only access)
- Recommendation: upgrade to 16+ chars when convenient (not urgent)

---

## 6. How the Audit Was Done

1. Logged into ASUS router via `asusrouter` library (nonce-based SHA256 auth)
2. Used browser JavaScript to call `appGet.cgi` with `nvram_get()` for each setting
3. Cross-referenced values against ASUS documentation and known defaults
4. Applied fixes via `start_apply.htm` CGI endpoint with appropriate `action_script`

**No firmware changes, no Merlin, no SSH to router.** All done via the stock web API.